Managing allowed URLs

Tanium as a Service deployments include a customer-specific proxy server that allows the destinations that are required for Tanium modules to work. Contact Tanium Support to request additional allowed entries.

The URL expressions that you configure on the Administration > Management > Allowed URLs page control how the Tanium Server handles file downloads that the Tanium Client requests from Internet URLs. When the Tanium Client executes content (such as action packages or sensors), the script associated with that content might request a file from an Internet URL. The Tanium Client API uniquely identifies the download by URL, including file name. For security, the Tanium Client sends a message to the Tanium Server, which checks the requested URL against its lists of package file URLs and allowed URLs. The package file URLs are known URLs that the package author specified. You use the allowed URLs to account for dynamic URLs, such as URLs that a Tanium Client script computed. If the URL does not match either list, the request fails.

The first time the Tanium Server handles a Tanium Client file download request that passes the allowed URLs check, the server downloads the file and stores a temporary package file and metadata so that it can distribute the file to endpoints (see Tanium Client User Guide: File distribution). The allowed URLs configuration includes settings that affect how often the Tanium Server checks for changes to the requested URL files and how often the server clears temporary files.

You must be assigned a role with the Write Allowed Urls (micro admin) permission to create, modify, or delete the allowed URLs configurations. Users that are assigned to the Administrator reserved role have this permission.

View allowed URLs

  1. From the Main menu, go to Administration > Management > Allowed URLs.

    The page displays the settings that are described in Table 1.


  2. (Optional) To displays the identifier for each allowed URL, click Customize Columns Customize columns and select ID.
  3. (Optional) Enter a text string in the Filter items field to filter the grid by URL Expression.

Add allowed URLs

  1. From the Main menu, go to Administration > Management > Allowed URLs.
  2. Click New URL Expression.
  3. Configure the following settings and click Save.
  4. Table 1:   Allowed URL settings
    Setting Description
    URL/regular expression Specify a URL.

    To allow multiple files from a base URL, select Treat the above text as a regular expression and specify the regular expression (regex). For example, the following regex allows any download from www.microsoft.com:

    http\:\/\/www\.microsoft\.com\/.*

    Note that the value is case sensitive. For example, the regex https\:\/\/192\.0\.2\.1\/abc\.csv allows https://192.0.2.1/abc.csv but not https://192.0.2.1/ABC.csv. The regex to allow both files is https\:\/\/192\.0\.2\.1\/abc|ABC\.csv.

    When a Tanium Client initiates a download that passes this check, the Tanium Server downloads the file so that it can distribute it to Tanium Clients through the linear chain.

    Download Interval (Optional) Select Check for changes after and specify an interval at which the Tanium Server checks the URL for changes to the requested file. The default is every six hours. If the check indicates there are changes to the file, the Tanium Server updates its copy of the file and restarts the expiration clock. For URLs that are specified regular expression, a timer is maintained for each match.
    Expiration

    (Optional) Select Clean up downloaded files after and specify the interval for clearing stale packages. The default is seven days. This means that the Tanium Server deletes files that it has not downloaded and that Tanium Clients have not requested in the past seven days. If a Tanium Client subsequently requests the URL, the Tanium Server downloads it again and resumes the update checks. For URLs that you specify with a regular expression, the Tanium Server maintains a timer for each match.

Edit allowed URLs

  1. From the Main menu, go to Administration > Management > Allowed URLs.
  2. Select an allowed URL configuration and click Edit Edit.
  3. Update the settings that Allowed URL settings describes and click Save.

Delete allowed URLs

  1. From the Main menu, go to Administration > Management > Allowed URLs.
  2. Select an allowed URL configuration and click Delete Edit.

Export or import allowed URLs

The following procedures describe how to export and import the configurations of specific allowed URLs or all allowed URLs.

Develop and test content in your lab environment before importing that content into your production environment.

Export allowed URLs

Export allowed URL configurations as a CSV file to view their settings in an application that supports that format. If you have the Administrator reserved role, you can also export allowed URL configurations as a JSON file to import them into another Tanium Server.

If you want to export other types of content in addition to allowed URLs, see Manage Tanium shared services and content.

  1. From the Main menu, go to Administration > Management > Allowed URLs.
  2. Select rows in the grid to export only specific allowed URL configurations. If you want to export all allowed URL configurations, skip this step.
  3. Click Export Export.
  4. (Optional) Edit the default export File Name, which is in the format: export-allowed_urls-<date>T<time>.<format>.

    The file suffix (.csv or .json) changes automatically based on the Format selection.

  5. Select an Export Data option: All allowed URL configurations in the grid or just the Selected allowed URL configurations.
  6. Select the file Format: JSON (Administrator reserved role only) or CSV.
  7. Click Export.

    TaaSThe Tanium Server exports the file to the downloads folder on the system that you used to access the Tanium Console.

Import allowed URLs

You can import content files that are in JSON or XML format.

  1. Digitally sign the content file and ensure a public key is in place to validate the signature. See Authenticating content files.
  2. From the Main menu, go to Administration > Configuration > Solutions.
  3. Scroll to the Content section and click Import Import Content.
  4. Click Choose File, select the content file, and click Open.
  5. Click Import.

    If object names in the file are the same as for existing objects, the Tanium Console itemizes the conflicts and provides resolution options for each one.

  6. Select resolutions for any conflicts. For guidance, see Conflicts and Best practices.
  7. Click Import again, and click Close when the import finishes.

Copy allowed URL configuration details

Copy information from the Allowed URLs page to your clipboard to paste the information into a message, text file, or spreadsheet. Each row in the grid is a comma-separated value string.

  1. From the Main menu, go to Administration > Management > Allowed URLs.
  2. Perform one of the following steps:
    • Copy row information: Select one or more rows and click Copy Copy.
    • Copy cell information: Hover over the cell, click Options Options, and click Copy Copy.